New SEC Guidance on Reporting Data Security Risk

In our recent post on a 2011 SEC cybersecurity guidance, we briefly sketched out what public companies are supposed to be doing in terms of informing investors about risks related to security threats and actual incidents. As it happens, late last month the SEC issued a further guidance on cybersecurity disclosures, which “reinforces and expands” on the older one. Coincidence?

Of course! But it’s a sign of the times that we’re all thinking about how to take into account data security risks in business planning.

Just to refresh memories, the SEC asked public companies to report data security risk and incidents that have a “material impact” for which reasonable investors would want to know about. The reports can be filed annually in a 10-K, quarterly in a 10-Q, or, if need be, in a current report or 8-K.

Nowhere in the SEC laws and relevant regulations do the words data security or security risk show up. Instead “material risks”, “materiality”, and “material information” are heavily sprinkled throughout — lawyer-speak for business data and events worth letting investors know about.

Looking for Material

It’s probably best to quote directly from the SEC guidance on the subject of materiality:

The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations …

An important point to make about the SEC language above is that it’s not about any one particular thing — report ransomware, or a DoS attack — but rather, as the lawyers say, you have to do fact-based inquiry. If you want to get more of a flavor of this kind of analysis, check out this legal perspective.

However, the SEC does provide some insight into evaluating reportable security risks. The complete list is in the guidance, but here are a few that would be most relevant to IOS readers: the occurrence of prior cybersecurity incidents, the probability and magnitude of a future incident, the adequacy of preventive actions taken to reduce cybersecurity risk, the potential for reputational harm, and litigation, regulatory, and remediation costs.

What about the types of real-world incidents that would have to be disclosed or reported?

I searched and searched, and I did find an example buried in a footnote — wonks can peruse the amazing footnote 33. It’s probably not a great surprise to learn that investors would be interested in knowing when “compromised information might include personally identifiable information, trade secrets or other confidential business information, the materiality of which may depend on the nature of the company’s business, as well as the scope of the compromised information.”

In short, the SEC guidance is just telling us what we in data security already know: the exposure of sensitive PII, such as social security and credit card numbers, or passwords to bank accounts, or trade secrets regarding, say, a cryptocurrency application, require notifying C-levels, affected customers, and regulators. And now investors as well.

Something Noteworthy: Security Policies and Procedures

Sure the typical regulatory verbiage can quickly put you into REM sleep, but occasionally there’s something new and noteworthy buried in the text.

And this latest SEC guidance does have some carefully worded advice regarding cybersecurity procedures and policies. The SEC “encourages” public companies to have them, and to review their compliance. It also asks companies to review their cybersecurity disclosure controls and procedures, and to make sure they are sufficient to notify senior management so they can properly report it.

It’s worth repeating that SEC rules and regulations cover general business risk, not specifically cybersecurity risk. The guidance recommends that companies evaluate this special risk and inform investors when the risks change, and of course let them know about material cybersecurity incidents.

Musings on Cybersecurity Disclosures for Public Companies

In the US, unlike in the EU, there is no single federal data security and breach notification law that covers private sector companies. Sure, we do have HIPAA and GLBA for healthcare and financial, but there isn’t an equivalent to the EU’s GPDR or, say, Canada’s PIPEDA. I’m aware that we have state breach notification laws, but for the most part they’re limited in the PII they cover and have a fairly high threshold for reporting incidents.

However, with this last SEC guidance, we have, for the first time, something like a national data security rule of thumb — not an obligation but rather a strong suggestion — to have data security controls and reporting in place.

The SEC guidance is based on what investors should be made aware of and wouldn’t necessarily cover serious cybersecurity risks and incidents that don’t have a material financial or business impact.

However, it’s certainly an indication that change is afoot, and US public companies should be thinking about upping their data security game before they’re ultimately required to do so through a future law.

Let’s just say they have been warned.

Andy Green

Andy blogs about data privacy and security regulations. He also loves writing about malware threats and what it means for IT security.